8 bits

I just found out I've been added to Forensic Focus' list of Twitterers. I'm honored with my top ranking :-)

Complete list: http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=4185

Harlan Carvey has managed to make a great new tool again: RipXP. RipXP is similar to rip.exe, in that it is a CLI tool and that it uses the same plugins as RegRipper and rip.exe. You give ripXP (as command line arguments) the hive file, the directory where the Restore Points reside, and a plugin to run. Once you have all this, ripXP will then:

- Access the hive file and guess what kind (SAM, System, NTUSER.DAT, Software, or Security) hive file it is (if it's an NTUSER.DAT file, it will attempt to retrieve the user's SID)

- Compare the type of hive file to the hive file that the plugin was written for; that is, if you pass it a System hive file, it won't let you run a plugin meant for an NTUSER.DAT file (just like rip.exe, ripXP includes the "-l" option so you can list all available plugins)

- Run the plugin against the hive file you selected

- Access the System Restore RP directories, and run the plugin against the appropriate hive

All this happens automatically, and the output goes to STDOUT, so all you have to do is redirect the output to a file.

Download RipXP at http://www.regripper.net/

Anybody who's working with Encase knows it's process indicator isn't accurate. You never know how long a process (acquire, verify etc.) wil take. The free Process Monitor of systinternals.com solves this problem.

How does it work

Download the free tool, unzip it and store procmon.exe in the c:\Windows\sytem32 folder

Next time you start to work with Encase, open a dosbox and type "procmon.exe". Process Monitor will now start.

Now add the following details:

Process name is Encase.exe then Include

Click Add and OK

Now, you can exactly see the processes of Encase.

I'm still workin' on it, but it seems to be possible to pipe the stdin output to logparser.

For example:

strings c:\temp\test.img | logparser "select * from stdin" -o:datagrid

example 2:

netstat -a | logparser "select * from stdin" -i:tsv -iseparator:space -nsep:2 -o:datagrid -fixedsep:off -nskiplines:2

This can have great possibilities and I certainly have to do more research

added March 31:

a real nifty combination: logparser and sed for windows

example:

logparser "select * from file1.csv" -i:TSV | sed "s/\"/ /g"

logparser and gawk for windows

example:

logparser "select * from file1.csv" -i:TSV | gawk {print$1$2$3$4}

With CaineLiveUsb you can boot and investigate devices without a CD-Rom drive (like netbooks etc.).

CAINE (Computer Aided INvestigative Environment) is a GNU/Linux live distribution created by Giancarlo Giustini as a project of Digital Forensics for Interdepartment Center for Research on Security (CRIS), supported by the University of Modena and Reggio Emilia. CAINE offers a complete forensic environment that is organized to integrate existing software tools as software modules and to provide a friendly graphical interface.

Visit the Caine website

PC memory analysis is increasingly important because of ever arising encryption techniques, polymorphic malware etc. Simply pulling the plug of a live machine and investigating the contents of the harddisk is not enough anymore. Here's a short guide how you can do a proper (minimal) analysis of live memory.